I recently interviewed prominent security researcher and ethical hacker Philippe Caturegli, who has collaborated with well-known security figures such as Kevin Mitnick and Brian Krebs. The initial aim of the conversation was to get his take on the recent data leak at CISA — the U.S. government organization that works to help entities reduce their cybersecurity risk.
However, during our behind-the-scenes interview, it became clear that Caturegli had much more knowledge to share than could fit in a single article. A large portion of our previously unpublished conversation centered on how AI is changing cybersecurity, both on the offensive and defensive sides.
This edition of my Root Access column offers IT professionals insights from my multi-part conversation with Philippe Caturegli, with a focus on how AI is being used in penetration testing and how organizations need to shift their security thinking along with technological change.
READ MORE:
ISO 42001: Understanding AI governance for everyday people as It becomes practical work
AI hype vs. reality in cybersecurity
While AI is certainly changing security in many ways, Caturegli believes that you shouldn’t believe everything you hear from the AI labs. Recent discussions suggest that Anthropic’s Mythos and Fable models could be used as hacking tools that may pose a national security risk. However, he provided a more nuanced perspective that extends beyond the headlines: “Yes, Mythos and Fable are powerful, but a lot of it is marketing. (The AI labs) all want to have market share today, so they are trying to get the headline saying they have the most powerful model. A lot of it is being taken out of proportion by the marketing, but that’s what they want.”
At the same time, speaking about the current state of the impact of AI on hacking, ethical or otherwise, Caturegli says AI truly does allow him to do more with less, which benefits his clients because they get more value out of his services. Caturegli believes that penetration testers have always needed to “find the right balance on how much time you’re going to spend to give (clients) the most value for the money they are willing to pay.” Now, with the help of AI tools, he says, “you can go much deeper and find some more obscure vulnerabilities. Things that would have taken you weeks or months of looking at source code, now you can find instantly. So to me, it’s super fascinating, this AI stuff right now, because my limitation was the time that I had. Now, it’s extending the time, and I feel like I have 48 hours in one day instead of 24 hours. For curious people like me, it’s a blessing.”
AI for code analysis
To illustrate just how powerful AI can be in the right hands, Caturegli shared the following story about his work with a recurring client: “We did a pentest four years in a row, and the first year we managed to compromise it. We actually managed to download some of the source code of the application. So the next year, they said, all right now we’ll give you the source code of the application so you can go deeper in the test and we compromised it again.”
When they revisited the same code with the help of AI, they were able to find a problematic line of code that had been previously overlooked on multiple occasions: “I found this most obvious vulnerability that we missed for the past four years, and it was just in front of me. There was one way of bypassing the authentication for all users, and I swear I looked at the code like 100 times.
Getting technical, Caturegli described how a single character in the code made all the difference: “It was a loose comparison. When you compare in PHP, if you do an equal (==), it compares two different types of data. So if you have an array and a boolean, it will still do the comparison. You’re supposed to use three equal signs (===) in order to do the (strict) comparison by type… (the vulnerability) was comparing a boolean with a string, which is always true. So you could end up putting any password and it would actually log you in.”
Speaking about how AI allowed him to find that previously missed line of faulty code, Caturegli explained, “There are millions of lines of code in this application… (AI) is doing a lot of the sorting and searching and the time consuming stuff ahead of time, so you can focus on the signal and not the 99% of noise that is in the code. So from this aspect, AI to me is super helpful.”
READ MORE:
Why 6G demands a network infrastructure and security overhaul?
But despite the power of AI to identify issues, Caturegli is quick to point out that it’s far from perfect: “AI is not magical. It doesn’t find things reliably unless you give it the right direction… you need to tell it exactly, ‘Hey, look at these types of vulnerabilities.’”
How hackers can use AI against businesses
Philippe Caturegli is quick to point out that while AI can be used by ethical hackers for good, malicious actors are also using the same tools: “AI is exacerbating weaknesses because now you’re finding a bunch of patches (that haven’t been applied)… It’s lowered the entry level because you don’t necessarily need to understand how to do the whole exploit chain. So from this aspect it’s helping the bad guys, but it’s also helping the good guys.”
Speaking about a specific example on how AI can train hackers who lack knowledge in some areas, he shared a personal anecdote: “Recently I reverse engineered a patch from Microsoft. I suck at assembly code and things like this I never really understood. Now I have AI, and it’s like having your personal trainer next to you, and it’s teaching you. You can ask all the right questions, and it can explain to you, and then in one hour I had a crash course, like I did two years of grad school in reverse engineering. There’s this risk, though: All the threat actors now don’t need to have a degree or all of this research experience in pentesting. They can just ask a question, and the agent is going to do it… yes, it does lower the entry bar.”
Overall, Caturegli believes that AI as a tool is increasing capabilities on both sides in a relatively balanced way: “I don’t think it’s asymmetric where only the bad guys are using it and the good guys are not using it. Everything is accelerating on the offensive side, but also on the defensive side. All the SOCs (security operations centers) are now are using it. They can process so much more data than before.”
Why humans are still extremely important in cybersecurity
When I asked Caturegli about the threat from agents intent on compromising the company’s network, he shared his thoughts on some of AI’s current weaknesses: “Honestly, it’s easy to pick up on if the AI agent is doing pentesting because there’s a lot of mistakes and indicators… You can catch on pretty quickly which stuff is orchestrated by the AI agent, because it’s a lot more systematic” than a human who would follow their intuition.
However, he said that the combination of a human working alongside AI agents when pentesting is a “most deadly” combination, because a competent human can outsource specific tasks to AI in key areas where it’s going to do the most damage, instead of blindly asking AI to scan everything.
Additionally, with the rising cost of AI tokens, using agents without guidance from experienced human pentesters could become prohibitively expensive. According to Caturegli: “I see it when I do some code reviews with AI. It’s going to use millions of (expensive) tokens reading the code.”
The practical and cost-effective alternative is for pentesters to focus the AI’s activities by telling it, “This is the function that I’m interested in, the authentication part. Please look at this data flowing through the different functions. That’s where AI is a lot more valuable.”
Caturegli feels strongly that hackers will need to use AI more conservatively in the near future because of the shifting economics of using the technology. “The price of the AI subscriptions are all subsidized by the VCs that invested billions. So right now, yes, it makes sense for the threat actors to use it, and then for us (ethical hackers) to do reviews on crappy work or stuff that you would ask an intern to do. Now you can do it for cheaper with AI. At some point, when we are going to have to pay the real price, it’s going to be a lot more expensive and it’s going to kind of die down or it’s going to have to be a lot more specialized.”
How IT should operate in a post-AI security world
Now that AI makes it easier for threat actors to find vulnerabilities, Caturegli suggests that businesses and IT professionals should adopt a new paradigm where you assume that your defensive perimeter may be compromised by default.
Speaking to the future, Caturegli states, “Patch management is not something that is ever going to work… When you take an ‘assume breach’ stance, the breach can still happen, but if you kick out the threat actors before they can get to your crown jewels, or delete your data, or steal your data, it’s a breach, but it’s not a damaging breach… Are you able to detect us when we find this zero-day and we exploit it, and we access this data? Don’t just test your external perimeter… Just assume that somebody with bad intentions is already on your network, and then see what you can do.”
As for solutions that are useful in this new post-AI security world, Caturegli recommends keeping things simple with a specific non-AI solution: “A honeypot is just a system that sits in the network and does nothing, and to me that’s the best solution that’s very cheap and a good way of catching the attacker. It’s not going to prevent the breach, but (if accessed) it’s a strong indicator that something is wrong in your network, and then you should look into something.”
Caturegli believes other technologies are still useful, but using a canary in the coal mine-style alarm is critical and effective when time is of the essence: “Companies all have their SIEM and SOC, and they’re monitoring as much as they can, but you get buried… So it’s good to have some strong indicator (like a honeypot) where there’s almost no false positive. That’s the one that you should act on. And when you have an alert on this, you need to act super quickly, rather than try to look at all the behavior of all your users and trying to predict which behavior is suspicious or not. You’re going to have thousands of false positives, and that creates security fatigue.”
Finally, on the importance of the ‘assume breach’ paradigm, Caturegli emphasized why organizations should follow this advice by issuing a warning: “Don’t assume that it’s going to only happen to someone else… It’s definitely going to happen to you.”
Click Here For The Original Source.
